summaryrefslogtreecommitdiffstats
path: root/routers/private
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2021-10-20 21:59:05 +0100
committerGitHub <noreply@github.com>2021-10-20 16:59:05 -0400
commitc1110b867114de1ef404012e81e4c75944953052 (patch)
tree6ccd24640acb942eb94549601c70f4e9dfdb96ab /routers/private
parentc5a408df052c32ff2a1872cc65d2cac451769f35 (diff)
downloadgitea-c1110b867114de1ef404012e81e4c75944953052.tar.gz
gitea-c1110b867114de1ef404012e81e4c75944953052.zip
Ensure correct SSH permissions check for private and restricted users (#17370)
Repositories owned by private users and organisations and pulls by restricted users need to have permissions checked. Previously Serv would simply assumed that if the user could log in and the repository was not private then it would be visible. Fix #17364 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Diffstat (limited to 'routers/private')
-rw-r--r--routers/private/serv.go9
1 files changed, 7 insertions, 2 deletions
diff --git a/routers/private/serv.go b/routers/private/serv.go
index aae2a87229..8a2e96e15c 100644
--- a/routers/private/serv.go
+++ b/routers/private/serv.go
@@ -279,7 +279,12 @@ func ServCommand(ctx *context.PrivateContext) {
}
// Permissions checking:
- if repoExist && (mode > models.AccessModeRead || repo.IsPrivate || setting.Service.RequireSignInView) {
+ if repoExist &&
+ (mode > models.AccessModeRead ||
+ repo.IsPrivate ||
+ owner.Visibility.IsPrivate() ||
+ user.IsRestricted ||
+ setting.Service.RequireSignInView) {
if key.Type == models.KeyTypeDeploy {
if deployKey.Mode < mode {
ctx.JSON(http.StatusUnauthorized, private.ErrServCommand{
@@ -289,7 +294,7 @@ func ServCommand(ctx *context.PrivateContext) {
return
}
} else {
- // Because of special ref "refs/for" .. , need delay write permission check
+ // Because of the special ref "refs/for" we will need to delay write permission check
if git.SupportProcReceive && unitType == models.UnitTypeCode {
mode = models.AccessModeRead
}